MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35d7cb0a941cf66271f6ce3b7144423f3d3a44a68c52ccb8001609a60c913877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RiseProStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35d7cb0a941cf66271f6ce3b7144423f3d3a44a68c52ccb8001609a60c913877
SHA3-384 hash: 5101277cca5a3b77cba6165094cbabde7cf5d92d2283df55a14eaa309de9f5af7ace6e744f3b7f94224751bce2d35b62
SHA1 hash: 9933b57efed3f026b9193bedb1fe559557e7d740
MD5 hash: cbc9dd6c85cfe8a760ce081a1bf0db0b
humanhash: enemy-edward-freddie-johnny
File name:cbc9dd6c85cfe8a760ce081a1bf0db0b.exe
Download: download sample
Signature RiseProStealer
Create hunting rule
File size:1'571'328 bytes
First seen:2023-12-15 18:33:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:SyUJgO80RQf3nV39rc948nObq9JV6W//1DXITSvoRmRyuNYfqmx8:5kpQ/nV6eCYPW/9DXuSwREyu+fRx
Threatray 2'640 similar samples on MalwareBazaar
TLSH T1C3752352B7C584B2D8B62BB024FB27C31B313CE66C7541AF65E2189A94735C47AB073B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe RiseProStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467731/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Behavior that indicates a threat
Searching for the browser window
DNS request
Sending a custom TCP request
Searching for the window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm azorult CAB control explorer installer installer lolbin lolbin packed risepro rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657c9c1ed48681e0d661d5b9/reports/3d2627eb-1f6d-47e3-b8e5-169b1a7f3338/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/35d7cb0a941cf66271f6ce3b7144423f3d3a44a68c52ccb8001609a60c913877
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RisePro Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c2795e4-2bc2-440c-b926-c1421b583411
Result
Threat name:
PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362958
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to inject threads in other processes
Contains functionality to modify clipboard data
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Group Policy settings
Phishing site detected (based on logo match)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected PrivateLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1362958 Sample: N39Gcr6Yrn.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 94 Antivirus detection for dropped file 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 98 Yara detected PrivateLoader 2->98 100 4 other signatures 2->100 9 N39Gcr6Yrn.exe 1 4 2->9         started        12 OfficeTrackerNMP131.exe 10 1 2->12         started        16 OfficeTrackerNMP131.exe 10 2->16         started        18 6 other processes 2->18 process3 dnsIp4 68 C:\Users\user\AppData\Local\...\qr1Ax01.exe, PE32 9->68 dropped 70 C:\Users\user\AppData\Local\...\7fn4vn21.exe, PE32 9->70 dropped 20 qr1Ax01.exe 1 4 9->20         started        92 193.233.132.51 FREE-NET-ASFREEnetEU Russian Federation 12->92 120 Machine Learning detection for dropped file 12->120 122 Found stalling execution ending in API Sleep call 12->122 124 Disables Windows Defender (deletes autostart) 12->124 126 Contains functionality to inject threads in other processes 12->126 128 Exclude list of file types from scheduled, custom, and real-time scanning 16->128 130 Adds extensions / path to Windows Defender exclusion list (Registry) 16->130 132 Disable Windows Defender real time protection (registry) 16->132 24 chrome.exe 18->24         started        file5 signatures6 process7 file8 64 C:\Users\user\AppData\Local\...\2vi1000.exe, PE32 20->64 dropped 66 C:\Users\user\AppData\Local\...\1PP16Rd5.exe, PE32 20->66 dropped 102 Binary is likely a compiled AutoIt script file 20->102 104 Machine Learning detection for dropped file 20->104 26 2vi1000.exe 11 13 20->26         started        30 1PP16Rd5.exe 12 20->30         started        signatures9 process10 file11 72 C:\Users\user\AppData\...\FANBooster131.exe, PE32 26->72 dropped 74 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 26->74 dropped 76 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 26->76 dropped 78 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 26->78 dropped 106 Machine Learning detection for dropped file 26->106 108 Found stalling execution ending in API Sleep call 26->108 110 Disables Windows Defender (deletes autostart) 26->110 118 6 other signatures 26->118 32 schtasks.exe 1 26->32         started        34 schtasks.exe 1 26->34         started        112 Binary is likely a compiled AutoIt script file 30->112 114 Found API chain indicative of sandbox detection 30->114 116 Contains functionality to modify clipboard data 30->116 36 chrome.exe 1 30->36         started        39 chrome.exe 30->39         started        41 chrome.exe 30->41         started        43 7 other processes 30->43 signatures12 process13 dnsIp14 45 conhost.exe 32->45         started        47 conhost.exe 34->47         started        86 192.168.2.4 unknown unknown 36->86 88 192.168.2.7 unknown unknown 36->88 90 239.255.255.250 unknown Reserved 36->90 49 chrome.exe 36->49         started        60 2 other processes 36->60 52 chrome.exe 39->52         started        54 chrome.exe 41->54         started        56 chrome.exe 43->56         started        58 chrome.exe 43->58         started        62 5 other processes 43->62 process15 dnsIp16 80 twitter.com 104.244.42.129 TWITTERUS United States 49->80 82 t.co 104.244.42.133 TWITTERUS United States 49->82 84 93 other IPs or domains 49->84
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/35d7cb0a941cf66271f6ce3b7144423f3d3a44a68c52ccb8001609a60c913877
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35d7cb0a941cf66271f6ce3b7144423f3d3a44a68c52ccb8001609a60c913877/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2023-12-14 04:04:46 UTC
File Type:
PE (Exe)
Extracted files:
165
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxl4wcuudt3ge4pwzy5xcrcch46turfgrrjmzoaacye2mderhb3q._file
Verdict:
unknown
Similar samples:
1919d938556e92e5bc7550a58904295056000bbc1c7ff9c39d778d810036d7cf
RiseProStealer
28d3195daf8b48fa262cc9be185e9dd402f79be472874b4070dd0516744b8a63
RiseProStealer
7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce
RiseProStealer
8003e04f598f75df475bebdafb8b1702c4bdff87067b6554942a795a50c5bb73
RiseProStealer
845321e0072b6a37c502b6f5992d8e750ac254c3b09c9e55874722fae5ba87d4
RiseProStealer
86de0eece0f433c1dad9c51b60a11e39346f6da14ad576d78bd72600d963f80a
RiseProStealer
8df6ff949de778a20deb98bd90e21d9e9449045b73f75cd62c051957997882bb
RiseProStealer
aa3a84d69bd27931f0e7aeda5ff5cb4f7780644c2bb59bc1c374470c8109d2da
RiseProStealer
bb1b75ca2b1cf87a535caf84537badae8ea32f9565c45a8eb955002d708cf258
RiseProStealer
ce78b18767d7895f03c85d5993742c8b0b02c2b9a64db086191ae434f9991d19
RiseProStealer
+ 2'630 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:privateloader family:risepro brand:google brand:paypal loader persistence phishing stealer
Link:
https://tria.ge/reports/231215-w7tk3sgffk/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
AutoIT Executable
Detected potential entity reuse from brand paypal.
Drops file in System32 directory
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
Detect Lumma Stealer payload V4
Detected google phishing page
Lumma Stealer
PrivateLoader
RisePro
Malware Config
C2 Extraction:
193.233.132.51
http://soupinterestoe.fun/api
http://dayfarrichjwclik.fun/api
http://neighborhoodfeelsa.fun/api
http://ratefacilityframw.fun/api
Unpacked files
SH256 hash:
b4b9d3d19b29abcde4071d3daba52adc7387e74e5b62fd348102d19c58c92243
MD5 hash:
f29c4108724577ed6d8ab5d206e70fd8
SHA1 hash:
d44d24d49177c07339f52d58a3045c4787d6dd71
Link:
https://www.unpac.me/results/b7df0584-838c-428f-a499-f23c10c3d917/
SH256 hash:
746ba9b3c5d4bb454aa7e7f2103e3781439b1b5808705d180abbec54f668180b
MD5 hash:
5c25ea1199c0d2b36b6e022a967dd92f
SHA1 hash:
b0d260702d1f90f5ae55291557e6f57fc6126fbc
Link:
https://www.unpac.me/results/b7df0584-838c-428f-a499-f23c10c3d917/
SH256 hash:
fe0f22480690106246bc6bf9c3f26d49afc01f068a6d334edd88967feab94dc3
MD5 hash:
c0db10c672b90575d66c4d7935fbfacf
SHA1 hash:
f4742d949709f9785de5bef4f30be250593e3237
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/b7df0584-838c-428f-a499-f23c10c3d917/
SH256 hash:
35d7cb0a941cf66271f6ce3b7144423f3d3a44a68c52ccb8001609a60c913877
MD5 hash:
cbc9dd6c85cfe8a760ce081a1bf0db0b
SHA1 hash:
9933b57efed3f026b9193bedb1fe559557e7d740
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/b7df0584-838c-428f-a499-f23c10c3d917/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35d7cb0a941c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35d7cb0a941cf66271f6ce3b7144423f3d3a44a68c52ccb8001609a60c913877

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RiseProStealer

Executable exe 35d7cb0a941cf66271f6ce3b7144423f3d3a44a68c52ccb8001609a60c913877

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467731/

Comments